Wordpress SQLi — how to find
Few days back I wrote about SQLi in wp https://medium.com/websec/wordpress-sqli-bbb2afcc8e94, but only described the issues ( few months back was described publicly already, with my post I was pointing towards this issue as security issue, not as bad usage and not following the api docs from plugin/themes devs) in the DB
prepare method and I gave a sample with
delete_metadata vulnerable function. For those who are watching/monitoring the wp eco system closely from infosec aspect everything is clear, they have finished their job long time ago, but the rest of the developers have no idea what is happening under the hood and that is not good! (this opens another topic regarding reporting/handling security issues in the wp world, but this will be covered later)
Here I’ll give a guide, how to check if your own plugins are vulnerable to SQLi caused by this method (you can check another plugins too, atm I have few popular plugins that I can’t contact them, because finding the right contact info is real pain… ):
- Check if there is user input in the
$queryparameter when you use
- Best results give searching for this pattern
$wpdb->prepare(*INover some code base. This way you can find what and when was fixed in the past too, when you look at the implode directives above it.
- Check for
get_search_sqlmethod implementation in the
class-wp-(most-of-them)-query.phpwhen this function have 2+ parameters e.g.
$search_columnsis set. There are most of the time applied filters on this variable before passed to the method. Also keep an eye on it when it is implemented in the plugins specific query class.
get_page_by_titlefunction when is called with 3rd parameter and this parameter have any chance to be from the input.
delete_metadatacalled with 5 parameters where 4th parameter is set from user input and 5th parameter is
When I say user input it doesn’t mean it is only HTTP request for that place. Could be any input from files, database, http requests.
In case you use this knowledge and locate SQLi in some plugin ( I have found 10+ of them in quite popular plugins ) after you finish the reporting/fixing/disclosure procedure, drop me a note to add it to the list I make.
Oh, almost to forgot, I plan to release the patch I have proposed 10 months ago for this method, but this time with little tweak and I’ll release it after the patch that will be provided by the wp team, if they do that in the next month or two…